Password change log

So, it’s mandatory password change day for me today. In line with many organisations, the OU requires its users to change their password at regular intervals – at the moment, every three months/90 days. Also, in pursuit of improved security, they’ve recently reduced the number of unsuccessful login attempts you can make on your account before it locks you out. This has the unfortunate side effect of meaning that when you change your password on your desktop machine, your phone or tablet – sitting quietly in your pocket or handbag – will keep trying to connect using your old password, which will lock you out of your account.

I had a very bad encounter with this issue six months ago when I lost most of a day to it. The problem was made particularly hard to resolve by the fact that we’d just gone over to IP phones connected to our PCs, so when I was locked out of my account, and therefore my PC, I couldn’t phone IT to get them to unlock my account, and had to go to another office some way away to ring them. Which meant the ‘Try now – is it working?’ bits of the conversation had big gaps in the middle while I hung up and scurried back to my desk, then went back to room with the phone, redialled, waited to get through, and then updated the new person at the other end of the line with what’s going on. (Things are better now – I have a direct IP phone on my desk, and these days my office usually has people in it, which means I can borrow a phone from someone if that one’s not working.)

Three months ago – the last time I had to update my passwords – I was aware of the problem, and did it carefully and systematically in just under an hour, with no accidental lockouts! I also kept a sketchy list of what I did. Today I did it again, tweaking the list a bit as I went so I can follow it quickly next time.

Here’s my procedure. I’m posting it mainly to make it really easy for me to find in three months’ time (and I’ll print off a copy and leave it in my desk drawer). It’s obviously only directly relevant to me and my devices, but it might be useful to other OU people or people with a similar setups.

(cc) mendhak on Flickr

Before getting in to campus wifi range

Disable wifi on laptop

Disable wifi on phone

On campus

Check iMac is asleep

PC

Wake up PC

Unlock PC using old password, prompted to change to new password – do so.

Outlook 2010: perhaps better left to later, but I had left it open – asks for username & password. Give it the new one and tick ‘Remember my password’.

Chrome: Settings, Show advanced settings, Passwords and forms, Manage saved passwords (link). Search (box in top right) for any saved passwords for open.ac.uk (except dev servers and wikis) and delete.

IE: Tools, Internet Options, Content tab, AutoComplete, Settings button. Delete AutoComplete history. Deselect all but Temporary Internet Files (for housekeeping) and Passwords. Delete (button). (IE doesn’t let you manage individual saved passwords except by going to the site it’s saved a password for, highlighting the username and pressing the delete key, which gives you a prompt to delete it. I believe there exist plugins/toolbars to do this for you, but I’m not keen.)

Restart PC. (Start work on phone while it reboots.) (Triggers a UNS.exe Application error with memory that could not be “read” (!). That happens sometimes when I restart. Make note to explore that a bit later.)

Settings > Wifi > On, then as soon as the list of networks comes up, tap the arrow on each one and click ‘Forget this network’ on eduroam, ouguest, and oustaff, before the connection completes. (This step is easier on Android, where you can see and manage – and more importantly, delete – wifi networks that are not in range.)

Change location to ‘eduroam’. Same again: delete eduroam, ouguest, oustaff from Preferred Networks list, and change password in 802.1X tab. Same again for locations ‘oustaff’ and ‘ouguest’.

Switch back to usual Location. Click Apply.

Turn AirPort on. Click 802.1X Connect.

Check web access, resume Dropbox syncing.

Outlook 2011: Get ‘Mail could not be received at this time / Would you like to try re-entering your password?’. Yes. Enter new password and tick ‘Remember this password in my keychain’.

iMac (wired Ethernet)

Wake it up.

Chrome: Settings, Show advanced settings, Passwords and forms, Manage saved passwords (link). Search (box in top right) for any saved passwords for open.ac.uk (except dev servers and wikis) and delete.

Go to Intranet, enter username and password.

Job done in 50 minutes, including the time to tweak this list to be up to date. Next quarter, maybe only half an hour!

Things that keep this list from being longer: Not using OU services on any of my Linux VMs, so none of them have my OU password anywhere. Not having mail set up on the desktop iMac. Not having mail set up or any OU passwords saved on my home PC. Not having a tablet. Saving fewer OU passwords in the browsers I use. (It would, of course, be even shorter if I only ever used a single desktop PC that was very locked down.)

A Mac-expert colleague, whose expertise I trust (and who is welcome to identify themselves and comment further), suggests that this is more work than is needed, and that if you’re not using the ouguest network (which they recommend you shouldn’t), you are Ok if you just shut down all your devices except the one that you change the password on, then bring the others up one by one and change the wifi passwords when they try to connect but fail.

Update 3 June 2013: This quarter’s update took more than an hour, but most of that was not password stuff, but my aged desktop PC having trouble doing too many things at once (applying a week of security patches). I did the quick procedure my colleague mentioned – turned off all devices, change password on desktop PC, then bring the others up one by one and enter new passwords as prompted – and it worked a dream.

Update 4 September 2013: And even better this time. My password expired while I was on leave, which was a bit of fun and games to get working again. (Note to self and others: all the info about how to do it yourself is behind the login – but the link you need is https://pwreset.open.ac.uk/ (the s in https is required) – which works so long as you set it up before your password expired.). But the Helpdesk were helpful, and it was only about 30 minutes work total including having to do a lot of it twice – once for the temporary reset password, and then again for the new one.

–
This work by Doug Clow is copyright but licenced under a Creative Commons BY Licence.
No further permission needed to reuse or remix (with attribution), but it’s nice to be notified if you do use it.

Ooh no, I would really hate it if eduroam was a separate set of username/password credentials! One of the many great things about eduroam for me is that it isn’t yet another account to maintain or remember. The OU’s infrastructure and some of the things it connects to have got way better in terms of single sign-on over the last ten or fifteen years. I’d hate to go back to the bad old days when I first arrived and the Library gave me two A4 pages of usernames and passwords for the various services I might want to access.

You can sync Chrome profiles – I think it’s even easier than in Firefox – but I don’t want to for all sorts of reasons. I have different machines optimised for different jobs, and don’t want to have them all set up the same. Also, I’d rather not give Google (or whoever, in the FF case) even more information than I already do, particularly saved passwords. Live or near-live updating of e.g. session cookie data would be an active pain – one of the things that I use multiple machines for is to look at the same site in different user contexts. And the laptop and PC are old and creaky, and quickly get bogged down when doing multiple things – yet another sync process running wouldn’t help.

Doug, I do what your Mac expert colleague suggests and it works for me. My only issue is that I’ve forgotten some of my answers to questions that the FIM Identity Manager raises when I go to reset my password. This means that my account is sometimes locked out by me not remembering who was, for example, my best friend from my childhood etc. I’ve been reliably informed that the best thing to do with these questions is to ‘make up a memorable answer’ rather than trying to remember which of your friends you selected as best or which pet was you favourite etc.

Ok – I might give the more relaxed wifi approach a go next time (provided I don’t have a pressing deadline!). The delete-em-first approach was Helpdesk advice, which a number of other people have had too.

Those security questions are terrible, and I have the similar problems in thinking of correct or even memorable answers. I experience them as a whole extra set of passwords that frankly an attacker has probably a better chance of getting right than I do. And even worse, so many sites ask the same questions, and while we might be careful about maintaining unique passwords on every system we use, there’s no way we can remember five to ten extra backup passwords for each.

I’m considering switching over to a password manager system, so that I can generate and use secure passwords as the ‘answers’ to these sort of things.

(I’ve set up questions for the FIM Identity Manager, but never actually used the password reset system. When my account was locked, I couldn’t get in to the Intranet to find where the self-service password reset system is! For my own future reference it is here: https://pwreset.open.ac.uk)

wow Doug. This spoke to me because I’ve been ignoring the ‘your password expires in X days for a little while now’ until I have time to line things up. So very helpful. BUT Just think of what else we could do in 50 minutes. Pleasant walk; cycle quite a long way; cook a meal; do more than one job on the work job list perhaps!

“”[s]ome of the largest, highest value and most attacked sites on the Internet such as Paypal, Amazon and Fidelity Investments allow relatively weak passwords,” primarily because these web sites earn revenue by having people login.” Jason Hong quoting Florencio and Herley ( 2010). http://cacm.acm.org/blogs/blog-cacm/123889-password-policies-are-getting-out-of-control/fulltext
Not sure if this is still the case in 2013 though it feels like it for the one service he mentions that I do use.
Heng also makes the point that having user satisfaction as part of the performance metrics for security systems might help, and has a couple of other useful looking suggestions some of which may already be in place at the OU e.g. help desk costs and security costs in the same budget.
Unfortunately, I think your situation is still likely to be the same in 90 days time – unless you lose a device or two!

Yes, it seems a natural result of the incentives at play. When nothing bad happens to you when you mandate more intrusive security, but a security breach would be a career-limiting incident, the rational course is to make security more intrusive even if the improvement in security is only marginal. The same sort of calculus is at play with airline security, with an added dose that many people feel more secure when security is intrusive, regardless of whether the intrusion materially increases security. (What Bruce Schneier calls “security theater” does work in the sense that it makes many people feel more secure.)

Doug – my solution:
1. work out an “unguessable”, easy to type password in advance
2. bring all four of my devices into the University
3. change password on my laptop – and then quickly:
4. change password on ipad, android tablet and android phone

Yes – this seems to work for some people, but definitely doesn’t for others, including a colleague this morning. I suspect there may even be a single cause, or a handful – some app on some device that if configured in a particular way causes problems in these circumstances.